How to Disable SSH Password Authentication for Specific Users While Keeping Root Access


2 views

While working on hardening the security of my Debian Squeeze server, I needed to disable password-based SSH authentication for all users except root. The standard approach of setting PasswordAuthentication no in /etc/ssh/sshd_config would disable it globally, which wasn't what I wanted.

OpenSSH provides the Match directive in its configuration that allows conditional settings based on various criteria. Here's how to implement selective password authentication:

# First disable password auth globally
PasswordAuthentication no

# Then enable it only for root
Match User root
    PasswordAuthentication yes

I initially tried using negation in the Match block:

Match User !root
    PasswordAuthentication no

This didn't work because the negation syntax isn't supported in this context. The configuration parser simply ignored this line. The working solution is to set the default first, then override it for specific users.

If you want to allow password authentication for an entire group instead of just root, you could use:

PasswordAuthentication no
Match Group admins
    PasswordAuthentication yes

Remember these important points when modifying SSH configurations:

  • Always create a backup of /etc/ssh/sshd_config before making changes
  • Test configurations with sshd -t before restarting
  • Keep a separate SSH session open when testing changes
  • Reload SSH service with systemctl reload ssh instead of restart

If your changes don't seem to take effect:

  1. Verify the SSH service actually reloaded the configuration
  2. Check for syntax errors in the config file
  3. Ensure there aren't conflicting directives
  4. Look for include files that might override your settings

The SSH server configuration is controlled by the /etc/ssh/sshd_config file. This is where we'll make changes to disable password authentication for selected users while maintaining key-based authentication.

Here's the standard method to disable password authentication for all users except root:


# Disable password authentication globally
PasswordAuthentication no

# Then enable it only for root
Match User root
    PasswordAuthentication yes

For more specific control over user groups, you can use:


# Disable for everyone in 'restricted' group
Match Group restricted
    PasswordAuthentication no
    AuthenticationMethods publickey

# Or for specific users
Match User john,mary
    PasswordAuthentication no

If you encounter issues with the Match User !root syntax not working (as mentioned in the original question), it's because:

  1. The negation operator (!) might not be supported in older SSH versions
  2. The Match block must come after global settings

Here's a complete example that:


# Global settings
Port 22
Protocol 2
PermitRootLogin yes

# Default authentication methods
PubkeyAuthentication yes
PasswordAuthentication no

# Exceptions
Match User root
    PasswordAuthentication yes

Match Group developers
    PasswordAuthentication no
    AllowAgentForwarding yes
    X11Forwarding yes

After making changes:


# Test configuration syntax
sudo sshd -t

# If no errors, restart SSH
sudo systemctl restart sshd

Remember to:

  • Always maintain at least one key-based login method
  • Test changes in another session before logging out
  • Consider using two-factor authentication for sensitive accounts